search

wlanslovenija / django-tastypie-mongoengine

MongoEngine support for django-tastypie.
Other
73 stars 59 forks source link

def apply_authorization_limits not working #90

Closed arjanvaneersel closed 6 years ago

arjanvaneersel commented 9 years ago

I'm trying to amend the resource; s results based on the logged-in user.

From the tastypie documentation I understood that I should use apply_authorization_limits for this purpose. However, for both resources it seems like apply_authorization_limits is completely ignored, because the API simply returns all records in the DB instead of applying the filters.

class UserResource(resources.MongoEngineResource):
    class Meta:
        queryset = User.objects.all()
        resource_name = 'users'
        allowed_methods = ['get', 'post']
        excludes = ['password']
        authentication = SessionAuthentication()
        authorization = Authorization()

    def apply_authorization_limits(self, request, object_list):
        if request.user.is_superuser:
            return object_list
        else:
            return object_list.filter(user=request.user)

    def prepend_urls(self):
        return [
            url(r"^(?P<resource_name>%s)/login%s$" %
               (self._meta.resource_name, trailing_slash()),
                self.wrap_view('login'), name="api_login"),
            url(r'^(?P<resource_name>%s)/logout%s$' %                    
                (self._meta.resource_name, trailing_slash()),
                self.wrap_view('logout'), name='api_logout'),
        ]

    def login(self, request, **kwargs):
        self.method_check(request, allowed=['post'])

        data = self.deserialize(request, request.body, format=request.META.get('CONTENT_TYPE', 'application/json'))

        email = data.get('email', '')
        username = data.get('username', '')
        password = data.get('password', '')

        if email:
            user = User.objects.get(email=email)
            username = user.username
        else: 
            user = User.objects.get(username=username)
        user.backend = 'mongoengine.django.auth.MongoEngineBackend'
        user = authenticate(username=username, password=password)

        if user:
            if user.is_active:
                login(request, user)
                return self.create_response(request, {
                    'success': True })
            else:
                return self.create_response(request, {
                    'success': False,
                    'reason': 'disabled',
                }, HttpForbidden )
        else:
            return self.create_response(request, {
                'success': False,
                'reason': 'incorrect',
            }, HttpUnauthorized )

    def logout(self, request, **kwargs):
        self.method_check(request, allowed=['get'])
        if request.user and request.user.is_authenticated():
            logout(request)
            return self.create_response(request, { 'success': True })
        else:
            return self.create_response(request, { 'success': False }, HttpUnauthorized)

class MessageResource(resources.MongoEngineResource):
    sender = fields.ReferenceField(to = UserResource, attribute = 'sender', full = True)
    receiver = fields.ReferenceField(to = UserResource, attribute = 'receiver', full = True)

    class Meta:
        queryset = Message.objects.all()
        resource_name ='messages'
        allowed_methods = ['get', 'post', 'put', 'patch']
        authentication = SessionAuthentication()
        authorization = Authorization()

    def obj_create(self, bundle, **kwargs):
        return super(MessageResource, self).obj_create(bundle, sender=bundle.request.user)

    def apply_authorization_limits(self, request, object_list):
        return object_list.filter(receiver=request.user)